2019 has already laid witness to the largest data breach on record. Collection #1 revealed 773 million email addresses had been breached, along with some 21 million passwords. Access to this information opens doors for hackers to scour through previously sent and received items, uncovering sensitive information such as bank details and addresses. Sometimes all you need to reset an account password is an associated email, hence the sheer scale of this breach raises significant concern.
In light of such large-scale data breaches, implementing a robust data security policy is imperative to all organisations, and it continues to climb up their priority lists to ensure customers’ and employees’ personal information is protected.
Coupled with this is a need for regulatory compliance. 2018 saw big changes to the data regulatory landscape, with the launch of the General Data Protection Regulation (GDPR) redefining the way organisations with a foothold in Europe must manage data—or face legal and reputational consequences. California has since followed suit, announcing it would instate the California Consumer Privacy Act (CCPA) to protect the privacy rights of Californian consumers.
However, regulatory fallout has had a paralysing effect on organisations that store data onsite. Faced with the issues of drives and other IT equipment that is faulty or has reached end-of-life, these organisations are letting hardware pile up rather than securely processing the equipment for return to the manufacturer or sanitising it for reuse.
The cause of this stockpiling can be linked back to uncertainty around how data management best practices align with meeting regulatory compliance. While hoarding devices may provide a false sense of security in the very short term, it’s costing organisations a significant amount of money. In fact, two out of every five organisations that store data in-house spend over $100,000 every year on storing useless hardware that could pose a significant security or compliance risk. Additionally, more than half of the organisations we spoke to had been cited at least one or two times in the past 24 months for failure to comply with data protection laws such as GDPR.
Start thinking about data end-of-life
One of the industry’s big trends is merging data privacy and data security. Organisations today need to think about more than just safeguarding data or securing network perimeters. Developing an understanding of how data needs to be processed and then complying with retention polices ultimately will lead to increased security. As it stands though, there is a worrying lack of knowledge on data sanitisation best practices. According to our recent survey, 56% of data center experts believe a quick reformat of a drive would permanently erase all data.
Organisations are also not managing data well enough across its entire lifecycle, particularly at end-of-life. Organisations need to implement plans for the permanent, irrecoverable removal of data that has reached the end of its useful life to comply with internal and external requirements. This will not only help reduce costs associated with storing data on useless hardware, but also aid in maintaining a high level of security.
Review re-use erase
It’s critical that an organisation can account for data at all stages of its lifecycle. Implementing proper retention, a data reviewal process and a consistent data audit trail can be instrumental in both ensuring and instilling confidence in an organisation that it is compliant. Regularly reviewing data to assess its business value and whether it needs to be archived for re-use or permanently erased is fundamental best practice. Not only do data erasure solutions offer compliance with all major government and industry standards, they also encourage best practice behaviour. For instance, reporting is an integral part of data erasure assurance, with digitally-signed erasure reports needed to prove that the data was removed.
Physical destruction is another method of data sanitisation, but it isn’t always the best option. The process of physical destruction can involve the shredding, degaussing or crushing of drives and other IT assets, either by the organisations themselves or a third party, to make the data on them unrecoverable. However, newer technology such as SSDs make this more difficult. Data has in fact been found on the remains of SSD drives, even after destruction. Plus, the negative environmental effect of physical destruction is something organisations should look to avoid.
While regulatory pressures are proving to be a challenge for many organisations, they are hugely important in the grand scheme of data privacy and proper data management. To avoid being stunned into regulatory paralysis, organisations must get their affairs in order, learning from examples of best practice by implementing processes that instil confidence. Organisations should no longer let their security issues lurk in the cupboard as they run the risk of one day facing big consequences.
Alan Bentley, President, Global Strategy at Blancco